[....] Starting enhanced syslogd: rsyslogd[ 15.487420] audit: type=1400 audit(1519179591.691:5): avc: denied { syslog } for pid=4009 comm="rsyslogd" capability=34 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1 [?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 19.567947] audit: type=1400 audit(1519179595.771:6): avc: denied { map } for pid=4150 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts. net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 [ 31.618051] audit: type=1400 audit(1519179607.821:7): avc: denied { map } for pid=4166 comm="syzkaller402437" path="/root/syzkaller402437776" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 31.626464] IPVS: ftp: loaded support on port[0] = 21 RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 31.821517] ip (4205) used greatest stack depth: 16128 bytes left [ 31.853627] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument executing program [ 32.167237] [ 32.168882] ===================================== [ 32.173691] WARNING: bad unlock balance detected! [ 32.178499] 4.16.0-rc2+ #235 Not tainted [ 32.182527] ------------------------------------- [ 32.187334] syzkaller402437/4167 is trying to release lock (rcu_read_lock_bh) at: [ 32.194934] [] hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 32.201910] but there are no more locks to release! [ 32.206888] [ 32.206888] other info that might help us debug this: [ 32.213531] 5 locks held by syzkaller402437/4167: [ 32.218346] #0: (&xt[i].mutex){+.+.}, at: [<000000005d78b568>] xt_find_table_lock+0x273/0x3e0 [ 32.227169] #1: (&mm->mmap_sem){++++}, at: [<00000000b53edf21>] __do_page_fault+0x32d/0xc90 [ 32.235811] #2: ((&idev->mc_dad_timer)){+.-.}, at: [<00000000181b6e4b>] call_timer_fn+0x1c6/0x820 [ 32.244968] #3: (rcu_read_lock){....}, at: [<000000004f4e0b8a>] mld_sendpack+0x180/0xe70 [ 32.253341] #4: (rcu_read_lock){....}, at: [<000000002145dd8d>] nf_hook.constprop.37+0x0/0x830 [ 32.262235] [ 32.262235] stack backtrace: [ 32.266699] CPU: 1 PID: 4167 Comm: syzkaller402437 Not tainted 4.16.0-rc2+ #235 [ 32.274114] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.283434] Call Trace: [ 32.285984] [ 32.288104] dump_stack+0x194/0x257 [ 32.291698] ? arch_local_irq_restore+0x53/0x53 [ 32.296335] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 32.301753] print_unlock_imbalance_bug+0x12f/0x140 [ 32.306737] lock_release+0x6fe/0xa40 [ 32.310505] ? hashlimit_mt_common.isra.10+0x1beb/0x2610 [ 32.315922] ? lock_downgrade+0x980/0x980 [ 32.320035] ? lock_release+0xa40/0xa40 [ 32.323976] ? __raw_spin_lock_init+0x1c/0x100 [ 32.328525] ? do_raw_spin_trylock+0x190/0x190 [ 32.333078] hashlimit_mt_common.isra.10+0x1c08/0x2610 [ 32.338326] ? dsthash_find+0x5b0/0x5b0 [ 32.342270] ? __lock_acquire+0x664/0x3e00 [ 32.346471] ? is_bpf_text_address+0x7b/0x120 [ 32.350934] ? lock_downgrade+0x980/0x980 [ 32.355050] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.360208] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.365364] ? is_bpf_text_address+0xa4/0x120 [ 32.369830] ? __kernel_text_address+0xd/0x40 [ 32.374293] ? unwind_get_return_address+0x61/0xa0 [ 32.379191] hashlimit_mt+0x78/0x90 [ 32.382784] ? hashlimit_mt+0x78/0x90 [ 32.386560] ip6t_do_table+0x98d/0x1a30 [ 32.390513] ? kmem_cache_alloc_trace+0x136/0x740 [ 32.395322] ? mld_sendpack+0x617/0xe70 [ 32.399266] ? ip6t_error+0x60/0x60 [ 32.402860] ? nf_setsockopt+0x67/0xc0 [ 32.406718] ? check_noncircular+0x20/0x20 [ 32.410920] ? lock_acquire+0x1d5/0x580 [ 32.414863] ? lock_acquire+0x1d5/0x580 [ 32.418803] ? igmp6_mcf_seq_next+0x660/0x660 [ 32.423264] ? lock_release+0xa40/0xa40 [ 32.427204] ip6table_raw_hook+0x65/0x80 [ 32.431232] nf_hook_slow+0xba/0x1a0 [ 32.434914] nf_hook.constprop.37+0x3f6/0x830 [ 32.439378] ? igmp6_mcf_seq_next+0x660/0x660 [ 32.443839] ? trace_hardirqs_on+0xd/0x10 [ 32.447953] ? __local_bh_enable_ip+0x121/0x230 [ 32.452592] ? _raw_spin_unlock_bh+0x30/0x40 [ 32.456970] ? rt6_uncached_list_add+0x1b7/0x240 [ 32.461691] ? rt6_fill_node+0x18b0/0x18b0 [ 32.465896] ? icmp6_dst_alloc+0x475/0x660 [ 32.470100] ? ip6_mc_leave_src+0x1d0/0x1d0 [ 32.474390] ? icmpv6_flow_init+0x1f6/0x270 [ 32.478679] mld_sendpack+0x6c2/0xe70 [ 32.482449] ? nf_hook.constprop.37+0x830/0x830 [ 32.487086] ? mark_held_locks+0xaf/0x100 [ 32.491202] ? trace_hardirqs_on+0xd/0x10 [ 32.495316] ? __local_bh_enable_ip+0x121/0x230 [ 32.499953] mld_send_initial_cr.part.25+0x103/0x150 [ 32.505023] mld_dad_timer_expire+0x31/0x100 [ 32.509401] call_timer_fn+0x228/0x820 [ 32.513258] ? mld_send_initial_cr.part.25+0x150/0x150 [ 32.518505] ? process_timeout+0x40/0x40 [ 32.522537] ? __run_timers+0x7e3/0xb70 [ 32.526478] ? lock_downgrade+0x980/0x980 [ 32.530593] ? debug_object_deactivate+0x364/0x560 [ 32.535836] ? lock_release+0xa40/0xa40 [ 32.539778] ? mark_held_locks+0xaf/0x100 [ 32.543894] ? trace_hardirqs_on_caller+0x19e/0x5c0 [ 32.548887] ? mld_send_initial_cr.part.25+0x150/0x150 [ 32.554516] ? mld_send_initial_cr.part.25+0x150/0x150 [ 32.559765] __run_timers+0x7ee/0xb70 [ 32.563537] ? trigger_dyntick_cpu.isra.29+0x150/0x150 [ 32.568784] ? timerqueue_add+0x1e9/0x280 [ 32.572900] ? check_noncircular+0x20/0x20 [ 32.577103] ? enqueue_hrtimer+0x177/0x4b0 [ 32.581303] ? lock_release+0xa40/0xa40 [ 32.585245] ? retrigger_next_event+0x1e0/0x1e0 [ 32.589884] ? print_irqtrace_events+0x270/0x270 [ 32.594605] ? check_noncircular+0x20/0x20 [ 32.598809] ? clockevents_program_event+0x163/0x2e0 [ 32.603879] ? lock_downgrade+0x980/0x980 [ 32.607995] ? __lock_is_held+0xb6/0x140 [ 32.612024] run_timer_softirq+0x4c/0x70 [ 32.616056] __do_softirq+0x2d7/0xb85 [ 32.619822] ? ktime_get+0x26f/0x3a0 [ 32.623506] ? __irqentry_text_end+0x1f8ad4/0x1f8ad4 [ 32.628576] ? check_noncircular+0x20/0x20 [ 32.632781] ? native_apic_msr_write+0x5c/0x80 [ 32.637328] ? lapic_next_event+0x54/0x80 [ 32.641445] ? clockevents_program_event+0x108/0x2e0 [ 32.646514] ? tick_program_event+0x83/0x100 [ 32.650889] ? __lock_is_held+0xb6/0x140 [ 32.654921] irq_exit+0x1cc/0x200 [ 32.658340] smp_apic_timer_interrupt+0x16b/0x700 [ 32.663152] ? smp_call_function_single_interrupt+0x640/0x640 [ 32.669003] ? _raw_spin_lock+0x32/0x40 [ 32.672945] ? _raw_spin_unlock+0x22/0x30 [ 32.677059] ? handle_edge_irq+0x2b4/0x7c0 [ 32.681263] ? task_prio+0x50/0x50 [ 32.684775] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.689587] apic_timer_interrupt+0x8e/0xa0 [ 32.693873] [ 32.696080] RIP: 0010:lock_is_held_type+0x18b/0x210 [ 32.701063] RSP: 0018:ffff8801b228efa0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12 [ 32.708739] RAX: dffffc0000000000 RBX: 0000000000000282 RCX: ffffffff819dd382 [ 32.715976] RDX: 1ffffffff0d592d5 RSI: ffffffff86b42700 RDI: 0000000000000282 [ 32.723212] RBP: ffff8801b228efc0 R08: 000000000002fc50 R09: 0000000000000000 [ 32.730450] R10: ffffffffffffffe8 R11: 0000000000000000 R12: ffff8801af0841c0 [ 32.737689] R13: 0000000000000000 R14: 0000000000001205 R15: 00000000000001b3 [ 32.744933] ? clear_huge_page+0x92/0x730 [ 32.749053] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 32.754904] ___might_sleep+0x35e/0x470 [ 32.758845] ? trace_event_raw_event_sched_switch+0x810/0x810 [ 32.764697] ? __might_sleep+0x95/0x190 [ 32.768638] clear_huge_page+0xa5/0x730 [ 32.772583] ? __raw_spin_lock_init+0x2d/0x100 [ 32.777136] do_huge_pmd_anonymous_page+0x599/0x1b00 [ 32.782209] ? __thp_get_unmapped_area+0x130/0x130 [ 32.787106] ? __lock_acquire+0x664/0x3e00 [ 32.791309] ? __lock_acquire+0x664/0x3e00 [ 32.795514] ? kernel_text_address+0x102/0x140 [ 32.800066] ? __is_insn_slot_addr+0x1fc/0x330 [ 32.804632] ? lock_downgrade+0x980/0x980 [ 32.808758] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 32.813917] ? modules_open+0xa0/0xa0 [ 32.817690] ? trace_raw_output_xdp_redirect_map_err+0x440/0x440 [ 32.823802] ? is_bpf_text_address+0x7b/0x120 [ 32.828263] ? lock_downgrade+0x980/0x980 [ 32.832380] ? lock_release+0xa40/0xa40 [ 32.836324] ? __free_insn_slot+0x5c0/0x5c0 [ 32.840615] ? rcutorture_record_progress+0x10/0x10 [ 32.845599] ? is_bpf_text_address+0xa4/0x120 [ 32.850061] ? kernel_text_address+0x102/0x140 [ 32.854614] __handle_mm_fault+0x1a0c/0x3ce0 [ 32.858990] ? __pmd_alloc+0x4e0/0x4e0 [ 32.862846] ? check_noncircular+0x20/0x20 [ 32.867050] ? print_lockdep_cache.isra.32+0x109/0x109 [ 32.872296] ? find_held_lock+0x35/0x1d0 [ 32.876325] ? handle_mm_fault+0x270/0x970 [ 32.880532] ? lock_downgrade+0x980/0x980 [ 32.884651] handle_mm_fault+0x35c/0x970 [ 32.888775] ? __handle_mm_fault+0x3ce0/0x3ce0 [ 32.893322] ? vmacache_find+0x5f/0x280 [ 32.897265] ? find_vma+0x30/0x150 [ 32.900774] __do_page_fault+0x5c9/0xc90 [ 32.904803] ? mm_fault_error+0x2c0/0x2c0 [ 32.908916] ? kfree+0xd9/0x260 [ 32.912166] ? xt_free_table_info+0x110/0x170 [ 32.916631] ? __do_replace+0x810/0xa70 [ 32.920571] ? check_noncircular+0x20/0x20 [ 32.924773] ? rawv6_setsockopt+0x4a/0xf0 [ 32.928890] ? sock_common_setsockopt+0x95/0xd0 [ 32.933528] do_page_fault+0xee/0x730 [ 32.937298] ? __do_page_fault+0xc90/0xc90 [ 32.941500] ? find_held_lock+0x35/0x1d0 [ 32.945533] ? __might_fault+0x110/0x1d0 [ 32.949565] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.954379] page_fault+0x62/0x90 [ 32.957802] RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 [ 32.963390] RSP: 0018:ffff8801b228f9b8 EFLAGS: 00010206 [ 32.968719] RAX: fffff520002fde06 RBX: 0000000000000030 RCX: 0000000000000006 [ 32.975958] RDX: 0000000000000000 RSI: ffffc900017ef000 RDI: 0000000020849fd0 [ 32.983196] RBP: ffff8801b228f9e8 R08: 0000000000000000 R09: fffff520002fde06 [ 32.990432] R10: 0000000000000006 R11: fffff520002fde05 R12: 0000000020849fd0 [ 32.997669] R13: ffffc900017ef000 R14: 00007ffffffff000 R15: 000000002084a000 [ 33.004914] ? _copy_to_user+0x9b/0xc0 [ 33.008769] __do_replace+0x840/0xa70 [ 33.012539] ? compat_table_info+0x4a0/0x4a0 [ 33.016917] ? kasan_check_write+0x14/0x20 [ 33.021119] ? _copy_from_user+0x99/0x110 [ 33.025233] do_ip6t_set_ctl+0x40f/0x5f0 [ 33.029259] ? translate_compat_table+0x1c50/0x1c50 [ 33.034245] ? mutex_unlock+0xd/0x10 [ 33.037929] ? nf_sockopt_find.constprop.0+0x1a7/0x220 [ 33.043171] nf_setsockopt+0x67/0xc0 [ 33.046850] ipv6_setsockopt+0x10b/0x130 [ 33.050877] rawv6_setsockopt+0x4a/0xf0 [ 33.054816] sock_common_setsockopt+0x95/0xd0 [ 33.059280] SyS_setsockopt+0x189/0x360 [ 33.063222] ? SyS_recv+0x40/0x40 [ 33.066642] ? mm_fault_error+0x2c0/0x2c0 [ 33.070760] ? move_addr_to_kernel+0x60/0x60 [ 33.075138] ? do_syscall_64+0xb6/0x940 [ 33.079097] ? SyS_recv+0x40/0x40 [ 33.082520] do_syscall_64+0x280/0x940 [ 33.086374] ? __do_page_fault+0xc90/0xc90 [ 33.090575] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 33.095298] ? syscall_return_slowpath+0x550/0x550 [ 33.100195] ? syscall_return_slowpath+0x2ac/0x550 [ 33.105093] ? prepare_exit_to_usermode+0x350/0x350 [ 33.110085] ? retint_user+0x18/0x18 [ 33.113766] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.118576] entry_SYSCALL_64_af